Just FYI, I got bounced from the security-announce list, so I'll be posting this again once our beloved FLUFL gives me the right permissions.

I'll include this list on the re-send as well, just in case it helps with threading.

On 07Mar2018 0834, Steve Dower wrote:
On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It has been patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires additional privileges, exploits using this vulnerability are more likely to result in escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

     assert (len(src) < 260 and
             len(dest) < 260 and
             len(os.path.join(os.path.dirname(dest), src)) < 260)
     os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation, but will still not behave correctly for long paths.

This vulnerability has been registered as CVE-2018-1000117, and patched in the commits listed below. This patch prevents the buffer overflow, but does not raise any new errors or enable the use of long paths when creating symlinks.

 master: http://hg.python.org/lookup/6921e73e33edc3c61bc2d78ed558eaa22a89a564     3.7: http://hg.python.org/lookup/96fdbacb7797a564249fd59ccf86ec153c4bb095     3.6: http://hg.python.org/lookup/baa45079466eda1f5636a6d13f3a60c2c00fdcd3
     3.5: (not yet merged)
     3.4: (not yet merged)

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000117 for the official record. Discussion to https://bugs.python.org/issue33001 or security-sig@python.org.

Steve Dower on behalf of the Python Security Response team
Security-SIG mailing list
Security-SIG mailing list

Reply via email to